Vulnerability Scanning vs. Penetration Testing

by | Feb 5, 2019 | Security | 0 comments

Do you understand the difference?

Simply put, vulnerability scanning is passive and penetration testing is active.  Both of these assessments/tests have value and both can assist in your overall ability to evaluate your external security exposure.

So, why do either (or both)? Well, for starters because the hackers are doing both too. But also, this can be compared to your annual medical exam. Even if you believe you are healthy, your physician will run a series of tests to detect dangers that have not yet developed symptoms.  Let’s look more specifically at how each of these tests is conducted and what the outcomes are.

External Vulnerability Assessment

External Vulnerability Scanning is non-intrusive.  The purpose is not to attempt to exploit the vulnerabilities.   The analysis is designed to determine if it is possible for external parties to access your systems.  So, the focus is more on potential threats.  The outcome is a score-based rating system and remediation recommendations are provided to help address any issues found.  This is a sample of the report provided:

External Penetration Assessment

External Penetration testing focuses on the critical threats to your organization.  This test consists of manual processes that mimic a bad actor and their techniques.  With your approval, a security professional or vCISO attempts to gain access to your environment to try to exploit any vulnerabilities.  After successfully exploiting your perimeter, the security professional or vCISO then attempt lateral movement within your network.

Conducting an Assessment

When is the last time you truly tested your network and had a view of what you were exposing to the outside world? Peters & Associates offers a full range of Information Technology Security Assessments and Managed IT Services.  External scoping options may include all or a combination of these options:

Our external vulnerability assessments, penetration tests, and black box testing options include deliverables that contain remediation recommendations. Contact us at to learn more!